On January 5, Tavis Ormandy, a researcher from Google Project Zero, found a remote code execution (RCE) vulnerability in Trend Micro’s antivirus-bundled product called Password Manager.

Installed by default with Trend Micro home security products, the Password Manager was built using JavaScript with node.js. To handle API requests, it opens multiple HTTP RPC ports.

According to Ormandy’s report, it only took him 30 seconds to identify an API that could be exploited for RCE. When a user accessed a malicious website run by an attacker who have knowledge of this vulnerability, he’ll be able to execute commands using the user’s privileges.

The report raised to Trend Micro shows the abused in openUrlInDefaultBrowser API but the Password Manager exposes nearly 70 APIs to the Internet.

Another API, the exportBrowserPasswords, can also be exploited to export the stored passwords. In defense, the security firm said that it wouldn’t be easy for an attacker to decrypt the encrypted passwords stored on their password tool product.

Trend Micro, similar to other recently reported security flaws such as Lenovo’s Superfish and Dell’s eDellRoot, added a self-signed https certificate to the local machine’s certificate store so users won’t be able to see any errors.

Trend Micro released a patch on Monday, January 11, to address the reported vulnerability. After testing it out, Ormandy confirmed that it indeed fixed the issue though he still recommends that the company gets an audit from a third-party security consultant to review the Password Manager’s code.

Fjordan Allego aka Fjordz is an IT security practitioner in the Philippines. He maintains a couple of blogs where he shares his views on various topics that he finds interesting. A self-confessed introvert who's mostly active in social media, Fjordz also loves to travel and explore the wonders of the world.